Trust & Security
1. Where your data lives
Client data submitted to SAMRoute is stored within the European Union, on our own off-cloud infrastructure located in Ille-et-Vilaine, France (Brittany). The same site hosts our development and testing environments, on environments separate from production. OVHcloud (in France) carries the web-front and CDN layer only — the user-facing pages — without holding client data. Any departure from this arrangement requires the customer's prior written agreement, recorded in the Subscription.
2. Authentication and logging
Access to the portal goes through standard authentication. Standard application logs record requests and errors for operational monitoring and post-incident analysis. The credentials each customer uses are personal to their account; access through those credentials is treated as the customer's action under the Terms of Service.
3. Sub-processors
Operating SAMRoute requires a small number of third parties acting under our instructions. They are bound by equivalent confidentiality and security obligations.
| Sub-processor | Role | Region |
|---|---|---|
| OVHcloud | Production hosting (compute, storage) | France |
| Stripe | Payment processing for monthly subscriptions | EU / Ireland |
| Mapbox | Map tiles, geocoding, vector services | EU |
| Mailgun | Transactional and operational email | EU |
Customers can request the up-to-date list at any time via the legal channel below; material changes are notified before they take effect.
4. Retention and deletion
Customer data is retained for the duration of the Subscription and during the export window that follows the end of the contract. After that window, the data is removed from active environments. Backups follow the standard retention cycle and are not used operationally; the Data deletion page describes how to request earlier removal of personal data, including under GDPR Article 17.
5. Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for customers acting as data controllers. It specifies the purposes, the categories of data, the security measures, the retention periods, and the procedures for exercising data-subject rights. Requests go to legal@oriskami.com.
6. Incident response
If a personal-data breach affects customer data, we notify the affected customer as soon as possible so that they can comply with their own legal obligations. Reports of suspected vulnerabilities, anomalies, or misuse should be sent to security@samroute.com — we read that mailbox and respond. We will publish a /.well-known/security.txt advertising the same address as the practice grows.
7. Standards and certifications
The security work behind SAMRoute follows the controls described on this page and in the contractual documents. Formal certifications are stated explicitly when obtained, with date and certifying body. The page therefore reflects the current standing at any moment: it lists the controls in force today, and certifications will be added here as they are achieved.
8. Reach us
For privacy, GDPR, or DPA matters, write to legal@oriskami.com. For security reports or incident notifications, write to security@samroute.com. Both addresses are monitored.
